NS: got insecure response; parent indicates it should be secure

Question

I'm trying to run Bind on Centos 6.3 on my school network and I'm having trouble getting external queries to work.

I can dig/query my own zones running on my server, but once I dig for an external domain name I see the following in my log files:

NS: got insecure response; parent indicates it should be secure

I have disabled dnssec with no result. I'm using the DNS forwarders from school, helpdesk has no idea what's wrong at this point in time.

However, I CAN dig @SCHOOL-SERVER and it will return a correct answer. It's just working with the forwarders that doesn't seem to work.

Can somebody point me in the right direction here?

Answer 1

This is related to the new DNSSEC feature which is now enabled by default. This might indicate the DNS resolvers/forwarders you are using does not support DNSSEC so the response appear to be insecure to your server.

You can either use resolvers that support DNSSEC or temporarily disable the feature on your server. To disable it, simply use those parameters in your named.conf or named.conf.options :

dnssec-enable no;
dnssec-validation no;

Answer 2

The internet can be a pretty frustrating place with people parroting the same answers; In the place of a solution, you are being given workarounds.

I can tell you for a fact that if a DNS server says it is providing a secure response, then it is providing a secure response. The problem here is that DNS forwarders are stripping DNSSEC signatures and this appears to be common place and since I haven't heard of this being done transparently, you probably have a forwarder set. So, if you do want to use DNSSEC in this manner, then disable your forwarder in named.conf.options:

options {
        directory "/var/cache/bind";
        //forwarders {
        //      8.8.8.8;
        //};

        dnssec-validation auto;
        dnssec-enable yes;
        dnssec-lookaside auto;
};